Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

Oh, I don't know. Just pick any random slashdot thread where a security vulnerability in an Apple product is mentioned. Those comments seem to rely pretty heavily on "it's about security, not marketshare" when the tables are reversed.

Untrue. By default you have Play, Google's curated app store. You can install other app stores or side load, but the default is just Play.

With great power comes great responsibility and all that. Besides which Apple's App Store isn't devoid of malware either, it's just a different kind of malware. My girlfriend is Chinese and there are a lot of Chinese apps, presumably not even visible in the western version of the store, that look extremely iffy. They ask you for random personal details, direct you to nast

Untrue. By default you have Play, Google's curated app store. You can install other app stores or side load, but the default is just Play.

With great power comes great responsibility and all that. Besides which Apple's App Store isn't devoid of malware either, it's just a different kind of malware. My girlfriend is Chinese and there are a lot of Chinese apps, presumably not even visible in the western version of the store, that look extremely iffy. They ask you for random personal details, direct you to nasty looking web sites, and have masses of rip-off in-app purchases and pay-to-win scenarios.

You realise if an Apple user tried to spin that line in a story where 99% of malware was targeted at iOS they would be down modded into the ground, right?

"Here's tangible, documented proof of 99% of malware being on Android, but hey, some Chinese apps on iOS 'look a bit suspicious' so Apple is bad too!"

No man. The Google Play Store is checked for malware and things like that. The issue is a lot of people install apps they got from somewhere else. But you know what? More power to them. At least they can pick other places to shop instead of Apple's one sure way or go to the highway.

Auto-running a virus checker on uploaded apps does not a curated app store make. Curation is a human activity.

And Google Play is not free from malware. I've just been going through old Slashdot stories about mobile malware and most of the reports have been on Google Play (or The Android Market as it was previously known.). This notion that it's only the other stores that are a problem is false.

But you know what? More power to them. At least they can pick other places to shop instead of Apple's one sure way or go to the highway.

I keep seeing this line trotted out, but it only serves to distract from the real issue.

What I've seen time and again from these reports over the last year is that it isn't about Android vs. iOS: it's about app stores. The Google Play store, for instance, has been the source of very few malware incidents (i.e. something like 2-3% of the total). Most of the malware hitting Android is coming from third-party stores that are of questionable trustworthiness. As always, users should be advised to only install software from sources they trust. If iOS allowed users to install from third-party stores without jailbreaking, we'd be seeing the same problems on iOS, regardless of their current marketshare or lack thereof (besides which, marketshare is a measure that shouldn't be used in isolation when assessing the worth of a platform's users to developers, including malware developers).

So, please, stop painting this as an iOS vs. Android thing. Regardless of platform, the users being affected by this stuff, in general, are those grabbing apps from untrustworthy sources. Focus your attention there.

What I've seen time and again from these reports over the last year is that it isn't about Android vs. iOS: it's about app stores. The Google Play store, for instance, has been the source of very few malware incidents (i.e. something like 2-3% of the total). Most of the malware hitting Android is coming from third-party stores that are of questionable trustworthiness. As always, users should be advised to only install software from sources they trust. If iOS allowed users to install from third-party stores without jailbreaking, we'd be seeing the same problems on iOS, regardless of their current marketshare or lack thereof (besides which, marketshare is a measure that shouldn't be used in isolation when assessing the worth of a platform's users to developers, including malware developers).

So, please, stop painting this as an iOS vs. Android thing. Regardless of platform, the users being affected by this stuff, in general, are those grabbing apps from untrustworthy sources. Focus your attention there.

The problem is, Google Play isn't available in a lot of places where Android is. Say China, for example.

China's especially touching because the Chinese app stores are complete rubbish - full of pirated apps and Trojans and other crap.

But even in North America or Europe, sticking with Google Play is limiting, because there are tons of legit app stores as well. Say, Humble Bundle or Amazon. But the problem is the checkbox is all or nothing - either you only use Google Play, or you allow everything.

The problem with "let the user decide" is it ignores the ultimate reality of security - Dancing Pigs [wikipedia.org]. Basically a user cannot be trusted with their own security - they will always choose the least secure path if it gets them what they want. So if their friend shows them a new app they have to install manually, well, they'll do it.

Hell, even on iOS jailbroken users get broken into constantly. Because they install OpenSSH, usually because some HOWTO said to install it. There have been many iOS worms and Trojans that exploit the fact that if you can SSH into an iOS device, it's jailbroken so you can do many more things.

True, but you still need to set your phone to allow installation of apps from untrusted sources to install Android apps purchased as part of bundles, don't you? (Because the Humble Bundle app installs them, not the Play store).

This is an issue of transitivity of trust: Let's imagine that I trust Google Play to only include safe apps, so I install the Humble Bundle app from Google Play. However, in order to install any apps from the Humble Bundle store I have to allow the installation of all other apps. Inst

By that argument all computing devices should be locked down and not allowed to be general purpose. The internet should be heavily filtered and turned into a walled garden. Some people might like that, but a lot would reject it.

The thing about Chinese app stores is that they have got a lot better in the last couple of years. The reason why is rather obvious. The service provider usually provides the app store, and it is in their interest not to allow apps that rack up massive phone bills by texting premium

He didn't say anything about "should." He talked about "does." You're dragging him into a theoretical argument on the ethics of a curated platform he didn't start, largely because you can't win the technical argument about reality.

Here's reality: since all malware is software, any computing platform that's designed to run as much software as possible will include more malware then a more restricted platform. That is the reality of the situation. Whether the trade-off is worth it probably depends on a lot of

Why is not NOT OK to have a real choice, where people can choose a more open Android or a platform that ships with defaults that are vastly better for 98% of people that will own mobile devices?

That's a false dichotomy. Android is a platform that ships with defaults that are better for 98% of people that will own mobile devices. By default it only allows installation from the Google Play store.

That said, I have absolutely nothing against people having a choice between iOS and Android (and whatever else). I'd be very, very concerned if the walled garden were the only option, but it's not.

You're right. The way I should have phrased that is that it isn't about the security of the OSes themselves or their relative market shares, it's about the security of the stores from which the OSes procure their apps.

That said, I'd be careful in how you refer to them. This isn't an OS issue, per se, so much as this is a platform or ecosystem issue. We're not talking about inherent weaknesses in the OSes themselves; we're talking about weaknesses in other parts of the ecosystem that can affect the OS.

So, the iOS solution is to not _let_ users install apps from untrustworthy sources.

Android doesn't have a solution... so... there's that.

How is that not an iOS vs Android issue?

Because it's an App store problem. Google Play store and Amazon probably do a pretty good job on security but dozens of others do not. Both OS'es are more or less equally vulnerable and if Apple allowed every Tom, Dick and Harry to sell iOS apps with zero effort to assure that they are selling malware free software Apple would have the exact same malware problem that Google does with Android. Whatever else iTunes may be, as far as malware is concerned, iTunes seems to be a quite trustworthy source. To disti

Feel free to provide those. But since it's roughly 50/50 in the USA why aren't the attacks in the USA also not 50/50? Or is the USA of no interest at all to malware writers? (I would say the opposite).

But since it's roughly 50/50 in the USA why aren't the attacks in the USA also not 50/50?

Maybe they are. I can't say I have seen any such statistics and I certainly can't understand why malware writers in general would target only a specific geographic area or even how they would limit it to that area.

Nope, hence why I imagine. But the question remains, if install base in the USA is roughly 50/50, why are 99% of the mobile threats Android only. I don't think the install base of android vs. iOS taking the entire world into account is 99:1.

But the question remains, if install base in the USA is roughly 50/50, why are 99% of the mobile threats Android only.

Well the way I see it there are a number of contributing factors, Android has a much higher marketshare globally (restricting it to the US is silly because malware writers don't restrict their software geographically) so it is a larger target and it also allows installation of applications outside of Google Play. Apple disallows that and seems

Oh, market share is certainly a factor, but as I already detailed in another reply [slashdot.org], I hardly think it's the factor that matters most.

Also, I never suggested iOS outnumbered Android, whether at the high-end or not, nor would I, since I agree with you that that simply isn't the case. Setting aside your straw man, what you'll see is that I suggested that the US' population tends to reside disproportionately at the high-end of the market, relative to the world's smartphone market.

The future of smartphones is NOT the US, and the US is not even a decently large slice of the pie even in the high end (most mobile phones in China sell for over 3000 RMB - $500). It resides in Asia. Come on over to Shanghai and

The latter is easy, you can do research and fix the numbers accordingly. I think a lot of Slashdot users are tricked by cognitive bias because they themselves prefer Android over iOS (or the vocal ones do). I have a cyanogenmodded Kindle Fire (1st gen) and an iPad (4th gen) and prefer the latter over the former; to me Android (the cyanogenmod version) looks more ugly, which is also bias, of course. Oh, I am sure I can "fix" it by installing stuff, like I can "fix" Linux distros, but that's exactly what I w

I use Android devices simply due to cost. Wife has Iphone, its nice. No bias here, Android had a lot of ground to make up wrt market share, I just thought they were further along and that tablets, rather than phones, where the place where more share was being taken... I got that backwards.

Kindle is not a good Android representation. I have 3 different Android tablets..they all 'just work'. Never saw any need to pay more cause I got what I need. I did get super frustrated trying to add some free apps to w

No idea why the Kindle Fire isn't a good representation (I have no problems with it). OK, it probably depends a lot on what you do with it. But Angry Birds and Sky Cups run great on it;-). As for the credit card, haven't encountered that one. I never needed a credit card to install apps on the iPad; I just bought an Apps or iTunes card in a local shop, entered the code and got credit. I am outside of the USA, so maybe that's the difference? (Also, I use my own email address instead of icloud).

I think if you've had an Itunes/store account for a while its no problem, but try creating a new one now so that you can just download free apps and they require a credit card or a gift card. There is a workaround but you'd never figure it out without googling around.. Apple certainly steers customers toward providing that card number.

You're bad at reading statistics. Your sources show that in Q1 2013, iOS had a market share of 48.2%. Then in Q3 2013, six months later, the market share was 29.6%. That still sounds like lots more Android. Look at that table on the Wikipedia article also. In Q2-Q3 2013, according to units sold or units shipped, iOS was between 14.2% and 18.2%, and Android was between 74.4% and 79%.

Yup, and wrt threats install base is way more interesting to look at than market share. So why if the install base is roughly 50 50 (or 60:40 with 60 for iOS) *why* do 99% of the threats target Android.

In related news: the market share of christmas trees has plummeted significantly. Oh, and if you don't get that, you don't get marketshare (Hint: AUGUST 2013).

Are you suggesting that the market share of units sold changes for some reason 4 months before Christmas versus the rest of the year? Wouldn't the two OSs be sold in the same percentages both before and after Christmas? The price points aren't so different that something like that would happen.

Also, what is "the market share of Christmas trees"? Which market are you referring to there? In the Christmas tree market, the market share of Christmas trees stays roughly at 100% the entire year. Christmas tre

It isn't incredibly hard to make an OS that:
During a special system boot: You can only install drivers and bootable items.
During a security boot: You can only install software to its own directory, and it can't interact with other software or system files.

There, you can't get a virus. Its up to the OS designer to decide how to share things securely. There are lots of options which can be secure to do that, and isn't worth talking about securing the very system.

Its much easier to not even try at all. Remember Windows was written before the Internet was easily accessible by the public. Why do an expensive rewrite of an OS, when you can just sell your customers computers a sneeze away from getting a virus. Hey maybe even some of them are dumb enough to buy new computers and windows products when their last one gets slow.

The issue is further confused by the mobile ecosystem itself. In a lot of cases, whether an app is "trojan malware" or "legitimately ad-supported product" has become a question of destination rather than behavior: the former will send your phone number, email addresses and/or contact list to some strange server in the far east, the latter will send them to AdMob et al... both major platforms have the same philosophy, it's not an Android/iOS fanboy issue.

During a special system boot: You can only install drivers and bootable items.During a security boot: You can only install software to its own directory, and it can't interact with other software or system files.

There, you can't get a virus.

Sure, now just don't have any errors in any of your user space code, or don't allow multiple programs to share code (all static links) -- Every program will need its own image decoding software, no two programs will interact, so the camera app won't be able to pass off an image to the QR code app which passes the data to your browser or price checking, or etc. apps, etc. So long as you keep the bits of each program in 100% (virtualized) isolation from each other, and NEVER allow outside data in to exploit

...it makes sense that Android is being targeted, it has the market share...

Speaking as an Android fan, that is a cop out. Better we should fully concentrate on examining the attack vectors and closing them. IMHO, the major attack vector is Google's project governance: Android is not a faux-open project, therefore gets a tiny fraction of the peer review that is possible. Next item on the list would be: a security model designed on a whiteboard in a marketing meeting. Typical megacorp engineering approach, by the way. Third thing to regard with high suspicion: Java and anything to

Apples iOS ecosystem seems pretty secure, a big part of that is app review/rejection.

Which is why no IOS device has ever been Hacked, erm sorry, I mean Jailbroken.

I'm pretty suspect of these figures, I have no doubt Android is higher due to mainly higher market share and number of devices but also due to the freedom of the Android operating system making it easier for malware writers to hide malware in dodgy app stores (Personally, I'll keep the freedom and take the risk as the risk is so low it's almo

This "99%" statistic for Android comes up every now and then, and what makes up for most of it, is the hazy third-party app repositories. If you stay in the selection of Google Play, you will mostly have your ass covered.

fwiw, the NSA has owned all platforms, so it's not like iOS is invincible.

I strongly suspect that it has less to do with any flaws in either OS, than it does in the fact that iPhones get regular updates/patches/etc, whereas the vast majority of Android phones do not.

This is the one thing that Apple really should get props for - they go out of their way to ensure that, within reason, older iPhones get patched/updated along with the newest ones. Meanwhile, all but a relatively tiny fraction of (global) Android users buy models where neither carrier or manufacturer really give a damn if the phones they sell ever see a patch. I mean, seriously - the cheap/low-end Android phones can still be found coming out brand new with 2.2/2.3 installed on the damned things.

Until that paradigm changes, the massive majority of malware and hacks will target the obviously juicy (and mostly obsolete and/or unpatched) Android market.

the cheap/low-end Android phones can still be found coming out brand new with 2.2/2.3 installed on the damned things

BS

I was surprised, but you're right: when I looked at the pre-paid devices offered by several mobile providers, I didn't find any that were being sold with a pre-4.x OS version. It is no doubt still possible to buy old Android phones with old Android versions, but even cheap devices by Huawei and ZTE are now coming out with Android 4.x

Unfortunately, because manufacturers often provide very poor ongoing support for devices, a large number of devices already in the market will never be updated. In that way, I a

Android devices do get regular updates direct from Google via Play, including security fixes. However, since Play is not available in some countries, notably China, those users are reliant on their provider (usually the mobile network operator).

So your statement that the "vast majority" don't get updates is simply wrong, particularly for people in the west and Japan/Korea, but applicable to China. Even so most malware does not rely on security flaws, it simply entices the user to install it (trojan).

This is the key point in this discussion, as it reveals the FUD from TFA. Note that TFA says "99 Percent of New Mobile Threats Target Android", but does not disclose the number of devices infected.

Right, I would be surprised if the percentage of Android devices infected is much different to the number of iOS devices infected, a little higher given the ability to install apps outside the official channel but probably not by much.

A lot of the malware exists because people can sideload apps. I would rather continue being able to sideload apps that I developed myself rather than pay Apple for the privilege of running my own code on my own device.

I would rather continue being able to sideload apps that I developed myself rather than pay Apple for the privilege of running my own code on my own device.

Personally I'm not that fussed about it, I can either jailbreak my device or shell out $99 (which includes the ability to publish and share my software with others) if I really want to do that. Either way it's no big deal.

Malware for Android is no different from malware for Windows or for OS X, the bulk of it is due to being able to run any code you want (where unless you wrote it you probably don't know what it does) and most people will just click through warnings about unsigned code, virtually none will

Malware for Android is no different from malware for Windows or for OS X, the bulk of it is due to being able to run any code you want (where unless you wrote it you probably don't know what it does) and most people will just click through warnings about unsigned code, virtually none will ever vet any code ever.

Absolutely 100% incorrect. I don't think you understand android that well. Android will refuse to run unsigned apps - they MUST have a signature, though there is no certificate authority they have to go through. But, apps with differing signatures can't interfere with one another. This means that malware app A can't steal or inject information into facebook app B. However facebook app C can manipulate facebook app B if that's what the publisher who holds the keys wants it to do. You are free to alter these

Android will refuse to run unsigned apps - they MUST have a signature, though there is no certificate authority they have to go through.

Right well "signed by anybody" isn't that much different from a code safety perspective than unsigned code, you still have to trust who it is signed by and while they might not be able to modify existing apps we can see that from the malware examples on Android (even though I don't believe that many are particularly widely circulated) that this doesn't make much of a difference in terms of their ability to be malicious.

But, apps with differing signatures can't interfere with one another.

The protections in modern Windows and OS X offer the same thing unless you start running

Obviously if you restrict yourself to the Google Play store it is very much the same thing as using an iOS device which is restricted to the Apple App Store. But that negates the biggest advantage of Android.

Say you restrict yourself to Google Play Store, Amazon Appstore, Humble Bundle, F-Droid, and applications you compiled yourself. Is the advantage still negated? In my opinion, the advantage of Android's "Unknown sources" and "adb install" model is 1. compiling apps yourself without having to replace your desktop computer and pay a recurrring fee, and 2. ability of third-party app stores to build a reputation for quality control.

So of course you need to have a PC of some sort, if you want to run arbitrary code and you already have a PC but it isn't a Mac and you don't want to buy a Mac and don't know somebody that could build the binary for you on their Mac then obviously buy an Android device, the options are all there. I'm not advocating for one over the other but clearly if the cost is too much for you then by all means go for Android.

If all you want to do is tinker with android, the cost is zero - the one-time fee only applies when you want to publish the app.

It ain't inherent security so much as it is inherent refusal to patch on the part of manufacturers and carriers.

It would be like putting up a Redhat 9.1 box with all default settings, giving it a public IP addy, and plugging it in directly to the Internet - sure it was very secure for its time, but unpatched and obsolete, it'll become just another victim.

Until manufacturers and carriers realize this (and stop thinking strictly like a damned CE company), this will continue to be the state of things.

Actually, I (personally) get it. I run a mix of MS-Win, Linux and Android devices at home, and I consider all to be equally "insecure".

Then again, I consider myself part of the "white noise". I don't surf for kiddie-porn, don't download (excessively large) amounts of copyrighted video and audio content, and I already know how to manufacture explosives (thus not needing an updated version of The Anarchist's Cookbook). I'm actually a law-abiding US citizen - but I'm perfectly happy to function as white noi

This comment reminds me of the people on Apple Support Communities who insisted that FlashBack was not actually a thing, that it was not infecting any systems, anywhere, and it was all just a big myth created by AV companies to sell product.

Meanwhile I was spending a day each week clearing FlashBack off dozens of infected student systems because the kids were too &*(@#$ stupid to not whack the monkey or whatever stupid thing they did in order to get infected (and god help us if we didn't give them admin